---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-unprivileged
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginxinc/nginx-unprivileged
        ports:
        - containerPort: 8080
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsGroup: 1001
          runAsNonRoot: true
          runAsUser: 1001
          seccompProfile:
            type: RuntimeDefault
---
kind: Service
apiVersion: v1
metadata:
  name: nginx-unprivileged-svc
spec:
  selector:
    app: nginx
  type: LoadBalancer
  ports:
  - name: http
    port: 8080
    targetPort: 8080
